feat: authentication middleware works with cluster provider

Cali0707 · Cali0707 · commit b35cadd268ae · 2025-09-30T15:59:39.000-04:00
Signed-off-by: Calum Murray &lt;cmurray@redhat.com&gt;
diff --git a/pkg/http/authorization.go b/pkg/http/authorization.go
@@ -1,8 +1,11 @@
 package http
 
 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 
@@ -20,7 +23,42 @@ import (
 
 type KubernetesApiTokenVerifier interface {
 	// KubernetesApiVerifyToken TODO: clarify proper implementation
-	KubernetesApiVerifyToken(ctx context.Context, token, audience string) (*authenticationapiv1.UserInfo, []string, error)
+	KubernetesApiVerifyToken(ctx context.Context, token, audience, cluster string) (*authenticationapiv1.UserInfo, []string, error)
+}
+
+// extractClusterFromRequest extracts cluster parameter from MCP request body
+func extractClusterFromRequest(r *http.Request) (string, error) {
+	if r.Body == nil {
+		return "", nil
+	}
+
+	// Read the body
+	body, err := io.ReadAll(r.Body)
+	if err != nil {
+		return "", err
+	}
+
+	// Restore the body for downstream handlers
+	r.Body = io.NopCloser(bytes.NewBuffer(body))
+
+	// Parse the MCP request
+	var mcpRequest struct {
+		Params struct {
+			Arguments map[string]interface{} `json:"arguments"`
+		} `json:"params"`
+	}
+
+	if err := json.Unmarshal(body, &mcpRequest); err != nil {
+		// If we can't parse the request, just return empty cluster (will use default)
+		return "", nil
+	}
+
+	// Extract cluster parameter
+	if cluster, ok := mcpRequest.Params.Arguments["cluster"].(string); ok {
+		return cluster, nil
+	}
+
+	return "", nil
 }
 
 // AuthorizationMiddleware validates the OAuth flow for protected resources.
@@ -128,7 +166,11 @@ func AuthorizationMiddleware(staticConfig *config.StaticConfig, oidcProvider *oi
 			}
 			// Kubernetes API Server TokenReview validation
 			if err == nil && staticConfig.ValidateToken {
-				err = claims.ValidateWithKubernetesApi(r.Context(), staticConfig.OAuthAudience, verifier)
+				cluster, clusterErr := extractClusterFromRequest(r)
+				if clusterErr != nil {
+					klog.V(2).Infof("Failed to extract cluster from request, using default: %v", clusterErr)
+				}
+				err = claims.ValidateWithKubernetesApi(r.Context(), staticConfig.OAuthAudience, cluster, verifier)
 			}
 			if err != nil {
 				klog.V(1).Infof("Authentication failed - JWT validation error: %s %s from %s, error: %v", r.Method, r.URL.Path, r.RemoteAddr, err)
@@ -198,9 +240,9 @@ func (c *JWTClaims) ValidateWithProvider(ctx context.Context, audience string, p
 	return nil
 }
 
-func (c *JWTClaims) ValidateWithKubernetesApi(ctx context.Context, audience string, verifier KubernetesApiTokenVerifier) error {
+func (c *JWTClaims) ValidateWithKubernetesApi(ctx context.Context, audience, cluster string, verifier KubernetesApiTokenVerifier) error {
 	if verifier != nil {
-		_, _, err := verifier.KubernetesApiVerifyToken(ctx, c.Token, audience)
+		_, _, err := verifier.KubernetesApiVerifyToken(ctx, c.Token, audience, cluster)
 		if err != nil {
 			return fmt.Errorf("kubernetes API token validation error: %v", err)
 		}
diff --git a/pkg/mcp/mcp.go b/pkg/mcp/mcp.go
@@ -106,7 +106,9 @@ func (s *Server) reloadKubernetesClusterProvider() error {
 	}
 
 	// close the old provider
-	s.p.Close()
+	if s.p != nil {
+		s.p.Close()
+	}
 
 	s.p = p
 
@@ -158,13 +160,24 @@ func (s *Server) ServeHTTP(httpServer *http.Server) *server.StreamableHTTPServer
 }
 
 // KubernetesApiVerifyToken verifies the given token with the audience by
-// sending an TokenReview request to API Server.
-func (s *Server) KubernetesApiVerifyToken(ctx context.Context, token string, audience string) (*authenticationapiv1.UserInfo, []string, error) {
+// sending an TokenReview request to API Server for the specified cluster.
+func (s *Server) KubernetesApiVerifyToken(ctx context.Context, token string, audience string, cluster string) (*authenticationapiv1.UserInfo, []string, error) {
 	if s.p == nil {
 		return nil, nil, fmt.Errorf("kubernetes cluster provider is not initialized")
 	}
 
-	return s.k.VerifyToken(ctx, token, audience)
+	// Use provided cluster or default
+	if cluster == "" {
+		cluster = s.p.GetDefaultCluster()
+	}
+
+	// Get the cluster manager for the specified cluster
+	m, err := s.p.GetClusterManager(ctx, cluster)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return m.VerifyToken(ctx, token, audience)
 }
 
 func (s *Server) GetEnabledTools() []string {
